diff --git a/typo3/sysext/core/Classes/Http/NormalizedParams.php b/typo3/sysext/core/Classes/Http/NormalizedParams.php
index 63af1d859f6fcf7fa20674aa798f14ed0212b8a4..6731d67723a91fb4df009ad1bfe2c8f2e489a9dd 100644
--- a/typo3/sysext/core/Classes/Http/NormalizedParams.php
+++ b/typo3/sysext/core/Classes/Http/NormalizedParams.php
@@ -588,10 +588,12 @@ class NormalizedParams
if ($configuredProxySSL === '*') {
$configuredProxySSL = trim($typo3ConfVars['SYS']['reverseProxyIP'] ?? '');
}
+ $httpsParam = (string)($serverParams['HTTPS'] ?? '');
if (GeneralUtility::cmpIP(trim($serverParams['REMOTE_ADDR'] ?? ''), $configuredProxySSL)
|| ($serverParams['SSL_SESSION_ID'] ?? '')
- || strtolower($serverParams['HTTPS'] ?? '') === 'on'
- || (string)($serverParams['HTTPS'] ?? '') === '1'
+ // https://secure.php.net/manual/en/reserved.variables.server.php
+ // "Set to a non-empty value if the script was queried through the HTTPS protocol."
+ || ($httpsParam !== '' && $httpsParam !== 'off' && $httpsParam !== '0')
) {
$isHttps = true;
}
diff --git a/typo3/sysext/core/Classes/Utility/GeneralUtility.php b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
index fc14c97df05669f1b482d931ca6d95c2ce8f2aeb..5e9a2578f42efa664b8a2f3cdc0937bace0bf40f 100644
--- a/typo3/sysext/core/Classes/Utility/GeneralUtility.php
+++ b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
@@ -2777,7 +2777,10 @@ class GeneralUtility
if (self::cmpIP($_SERVER['REMOTE_ADDR'], $proxySSL)) {
$retVal = true;
} else {
- $retVal = $_SERVER['SSL_SESSION_ID'] || strtolower($_SERVER['HTTPS']) === 'on' || (string)$_SERVER['HTTPS'] === '1';
+ // https://secure.php.net/manual/en/reserved.variables.server.php
+ // "Set to a non-empty value if the script was queried through the HTTPS protocol."
+ $retVal = $_SERVER['SSL_SESSION_ID']
+ || (!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off');
}
break;
case '_ARRAY':
diff --git a/typo3/sysext/core/Tests/Unit/Http/NormalizedParamsTest.php b/typo3/sysext/core/Tests/Unit/Http/NormalizedParamsTest.php
index 72e6e22276dda385c8d1dff9f62096d3d656a8e3..0e03547765273d4e6296877a0cb381309ddb4976 100644
--- a/typo3/sysext/core/Tests/Unit/Http/NormalizedParamsTest.php
+++ b/typo3/sysext/core/Tests/Unit/Http/NormalizedParamsTest.php
@@ -190,6 +190,32 @@ class NormalizedParamsTest extends UnitTestCase
[],
true,
],
+ 'true if HTTPS is int(1)"' => [
+ [
+ 'HTTP_HOST' => 'www.domain.com',
+ 'HTTPS' => 1,
+ ],
+ [],
+ true,
+ ],
+ 'true if HTTPS is bool(true)' => [
+ [
+ 'HTTP_HOST' => 'www.domain.com',
+ 'HTTPS' => true,
+ ],
+ [],
+ true,
+ ],
+ // https://secure.php.net/manual/en/reserved.variables.server.php
+ // "Set to a non-empty value if the script was queried through the HTTPS protocol."
+ 'true if HTTPS is "somethingrandom"' => [
+ [
+ 'HTTP_HOST' => 'www.domain.com',
+ 'HTTPS' => 'somethingrandom',
+ ],
+ [],
+ true,
+ ],
'false if HTTPS is "0"' => [
[
'HTTP_HOST' => 'www.domain.com',
@@ -198,6 +224,22 @@ class NormalizedParamsTest extends UnitTestCase
[],
false,
],
+ 'false if HTTPS is int(0)' => [
+ [
+ 'HTTP_HOST' => 'www.domain.com',
+ 'HTTPS' => 0,
+ ],
+ [],
+ false,
+ ],
+ 'false if HTTPS is float(0)' => [
+ [
+ 'HTTP_HOST' => 'www.domain.com',
+ 'HTTPS' => 0.0,
+ ],
+ [],
+ false,
+ ],
'false if HTTPS is not on' => [
[
'HTTP_HOST' => 'www.domain.com',
@@ -214,6 +256,35 @@ class NormalizedParamsTest extends UnitTestCase
[],
false,
],
+ 'false if HTTPS is null' => [
+ [
+ 'HTTP_HOST' => 'www.domain.com',
+ 'HTTPS' => null,
+ ],
+ [],
+ false,
+ ],
+ 'false if HTTPS is bool(false)' => [
+ [
+ 'HTTP_HOST' => 'www.domain.com',
+ 'HTTPS' => false,
+ ],
+ [],
+ false,
+ ],
+ // Per PHP documententation 'HTTPS' is:
+ // "Set to a non-empty value if the script
+ // was queried through the HTTPS protocol."
+ // So theoretically an empty array means HTTPS is off.
+ // We do not support that. Therefore this test is disabled.
+ //'false if HTTPS is an empty Array' => [
+ // [
+ // 'HTTP_HOST' => 'www.domain.com',
+ // 'HTTPS' => [],
+ // ],
+ // [],
+ // false,
+ //],
'true if ssl proxy IP matches REMOTE_ADDR' => [
[
'HTTP_HOST' => 'www.domain.com',